Since February 2, 2026, ZeroDayRAT, a powerful mobile spyware platform, has been freely available on Telegram channels. In addition to providing customers with an intuitive web panel for remote control of iOS devices up to version 26 and Android devices from versions 5 to 16 (including the iPhone 17 Pro), developers also maintain specialized groups for sales, support, and updates. Operators can spy and steal in real time from a basic browser interface; no sophisticated skills are required.

This tool targets users all over the world and goes beyond simple data grabs to include direct financial attacks and live surveillance. Iverify claims that social engineering techniques such as phishing emails, smishing texts that link to phony apps, phony app stores, or shared links on Telegram and WhatsApp are the first step in infection.

Unknowingly giving up complete device access, victims install a payload on iOS or an APK on Android. Once operational, the dashboard displays linked devices—including one in the US and another in India—that are open to abuse. Overview of the Device and User Profiles The compromised device's model, OS version, battery level, country, lock status, SIM information, carrier, dual-SIM numbers, app usage timelines, live activity feeds, and recent SMS previews are all displayed on the overview tab.

The dashboard of ZeroDayRAT features two devices: one in the US and one in India. (Source: iverify.) Operators quickly create profiles of the victims they contact, including their favorite apps, network providers, and hours of high activity. Without further investigation, scrolling displays intercepted carrier notices, bank alerts, and private conversations, providing a complete picture of the user.

Details are covered in separate tabs.

Location tracking allows attackers to map past and present movements, such as a device in Bengaluru, by pulling GPS data onto an embedded Google Maps view with history. Real-time notifications record everything, including system events, missed calls, Telegram, YouTube, WhatsApp, Instagram, app names, titles, and timestamps. Attackers keep a passive eye on life; no app opens are necessary.

The compromised Android device's overview tab. (Source: iverify.) Every registered service, including Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, and Spotify, is listed on the accounts tab along with usernames and email addresses. Account takeovers and phishing follow-ups are fueled by this information.

SMS access disrupts SMS-based 2FA for banks and services by enabling full inbox search, sending from the victim's number, and identifying OTPs.

Real-time monitoring and keylogging Active tools for surveillance include microphone audio, screen captures, and front or rear camera streams that are all synchronized with GPS for complete awareness. Operators simultaneously hear, see, and locate targets. Every keystroke, biometric, gesture, and app launch is recorded by a keylogger, which also provides a live screen preview along with timestamps and context.

Attackers can quickly steal passwords or secrets by watching typing in action. GPS tracking of a compromised device in Bengaluru in real time. (Source: iverify.) The deal is sealed by financial modules.

In order to steal transfers, the cryptocurrency thief searches wallet apps such as MetaMask, Trust Wallet, Binance, and Coinbase, noting IDs and balances while switching clipboard addresses. Banking attacks use credential overlays to target UPI apps (PhonePe, Google Pay), Apple Pay, and PayPal, seamlessly fusing traditional and cryptocurrency theft.

Global reach is demonstrated by the devices reporting back from different nations.